In communication networks a number of applications share a need for authentication between a client (that is, the end user device or user equipment, UE) and an application server before further communication can take place. For providing a peer authentication mechanism 3GPP (3G Partnership Project) has defined a Generic Authentication Architecture (GAA) and Generic Bootstrapping Architecture (GBA). GAA/GBA describes a generic architecture for peer authentication that can a priori serve for any (present and future) application. GAA/GBA is based on mobile algorithms AKA (Authentication and Key Agreement) for 3GPP and CHAP (Challenge Handshake Authentication Protocol) and CAVE (Cellular Authentication and Voice Encryption) for 3GPP2. Additionally there is a username/password variant of GAA/GBA defined by Cable Labs.
GAA/GBA is specified to be used with a Home Subscriber System (HSS) and diameter access. A new network element called the Bootstrapping Server Function (BSF) is introduced in GAA/GBA. This BSF has a diameter base interface with the HSS. The bootstrapping procedure of the GAA/GBA is specified in 3GPP TS 29.109 v 7.4.0.
FIG. 1 shows a simplified block diagram of a GAA/GBA system 100 according to 3GPP specifications. The system comprises a user equipment (UE) 101 that has a Ub interface to a Bootstrapping Server Function (BSF) 102 and a Ua interface to an application server (Network Application Function, NAF) 105. The BSF 102 has a Zh interface to a Home Subscriber System (HSS) 103, a Dz interface to a Server Locator Function (SLF) 104 and a Zn interface to the NAF 105.
FIG. 2 shows a messaging diagram illustrating the GAA/GBA bootstrapping procedure according to 3GPP specifications in the system of FIG. 1. First the UE starts the bootstrapping procedure with the BSF through the Ub interface by sending a bootstrapping request 2-1 including IMPI (IMS Private User Identity) of the UE's user.
The BSF requests user's authentication vector (AV) and GBA User Security Settings (GUSS) from the user's HSS through the Zh interface by sending a multimedia authentication request 2-2 including the IMPI of the UE's user. The multimedia authentication request is sent in the format of Multimedia-Auth-Request (MAR) message. The HSS generates the authentication vector and fetches the GUSS in phase 2-3 and supplies a multimedia authentication answer 2-4 including the authentication vector and the GUSS to the BSF. The multimedia authentication answer is sent in the format of Multimedia-Auth-Answer (MAA) message. In 3GPP the authentication vector comprises RAND (random challenge in authentication), AUTN (authentication token), XRES (expected response in authentication), CK (confidential key), and IK (integrity key).
If there are more than one HSS deployed in the network, the BSF may contact the SLF 104 through the Dz interface to find out which HSS should be contacted for that specific user prior to sending the multimedia authentication request 2-2. The SLF returns the address for the relevant HSS in response to a request.
The BSF stores the bootstrapping information tuple (comprising IMPI, key material and GUSS) for the IMPI in phase 2-5 and sends a bootstrapping answer 2-6 to the UE. Thereafter the BSF and the UE continue with the bootstrapping procedure through the Ub interface.
The NAF 105 may fetch authentication information (the key material stored in the BSF) from the BSF 102 through the Zn interface and thereby may authenticate the UE 101 at the start of an application session through the Ua interface or use the received key material otherwise to secure the communication.
A problem that some communication network operators have with GAA/GBA is that they do not (yet) have a HSS with diameter base access, whereby they cannot run GAA/GBA according to the 3GPP specifications.